CVE-2026-43582 Overview
CVE-2026-43582 is a server-side request forgery (SSRF) vulnerability in OpenClaw versions before 2026.4.10. The flaw resides in the browser navigation policy, where hostname validation can be bypassed through DNS rebinding attacks. Attackers exploit inconsistent hostname resolution between the validation step and the actual network request to reach internal resources via unallowlisted hostname URLs. The weakness is classified under CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition.
Critical Impact
Attackers can pivot from the OpenClaw browser navigation policy to internal network resources, exposing services that are not intended to be reachable from external callers.
Affected Products
- OpenClaw versions prior to 2026.4.10
- OpenClaw browser navigation policy component
- Deployments relying on hostname allowlist validation in OpenClaw
Discovery Timeline
- 2026-05-06 - CVE-2026-43582 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-43582
Vulnerability Analysis
The vulnerability is a classic TOCTOU SSRF pattern. OpenClaw resolves a hostname once during policy validation and again when issuing the outbound request. An attacker controls a DNS server that returns different IP addresses across these two lookups. The first response satisfies the allowlist check, while the second response points the actual connection to an internal target.
This double-resolution pattern defeats hostname-based allowlisting because validation operates on a name, not on the resolved address used for the connection. The attacker must control DNS responses for a domain the target will resolve, and the attack requires precise timing to flip records between the two resolutions.
Root Cause
The root cause is a time-of-check to time-of-use race in the browser navigation policy. Hostname validation and the network connection use independent DNS resolutions rather than a single resolution result that is reused. The fix introduced in commit 121c452 addresses this gap, as documented in the OpenClaw GHSA-xq94-r468-qwgj advisory.
Attack Vector
The attack is network-based and requires the attacker to control an authoritative DNS server. The attacker registers a hostname pointing initially to a public, allowlisted IP. After OpenClaw validates the hostname, the attacker reconfigures DNS to return an internal address such as 127.0.0.1, 169.254.169.254, or RFC1918 ranges. OpenClaw then connects to the internal resource on behalf of the attacker. See the VulnCheck advisory for additional details on the exploitation flow.
Detection Methods for CVE-2026-43582
Indicators of Compromise
- Outbound DNS queries from OpenClaw hosts to attacker-controlled domains followed by rapid TTL expirations
- OpenClaw process connections to RFC1918, loopback, or cloud metadata addresses such as 169.254.169.254
- Multiple DNS resolutions for the same hostname returning different IP families or address ranges within a short window
Detection Strategies
- Correlate DNS resolution responses against subsequent TCP connection destinations from the OpenClaw process and alert on mismatches
- Flag any hostname resolution where one answer is public and a near-simultaneous answer is private or link-local
- Inspect navigation policy logs for requests to hostnames whose final resolved IP differs from the allowlist-validated IP
Monitoring Recommendations
- Enable verbose logging in the OpenClaw browser navigation policy and ship logs to a centralized analytics platform
- Monitor egress traffic from OpenClaw hosts to internal subnets and cloud metadata endpoints
- Track DNS records with abnormally low TTLs requested by OpenClaw service accounts
How to Mitigate CVE-2026-43582
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.10 or later, which contains the fix from commit 121c452
- Inventory all OpenClaw deployments and confirm version status before exposing them to untrusted input
- Restrict OpenClaw network egress to only the destinations required for legitimate operation
Patch Information
The upstream fix is available in the OpenClaw commit 121c452 and described in the GitHub Security Advisory GHSA-xq94-r468-qwgj. Apply the patched release 2026.4.10 to remediate the SSRF.
Workarounds
- Place OpenClaw behind an egress proxy that enforces IP-based allowlists rather than hostname-based rules
- Block access from OpenClaw hosts to internal management ranges, loopback, and cloud metadata services at the network layer
- Pin DNS resolution to a controlled resolver and cache results for the duration of each navigation policy decision and request
# Configuration example: restrict OpenClaw egress with iptables
iptables -A OUTPUT -m owner --uid-owner openclaw -d 127.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openclaw -d 10.0.0.0/8 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openclaw -d 172.16.0.0/12 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openclaw -d 192.168.0.0/16 -j REJECT
iptables -A OUTPUT -m owner --uid-owner openclaw -d 169.254.0.0/16 -j REJECT
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
